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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 
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Examiner's Amendment 

1 . An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Daniel Ledesma on 28 January 2010. 

2. The application has been amended as follows: 

1 . (currently amended) A computer-implemented method for controlling access to a 
resource of a plurality of resources, the method comprising the steps of: 
one or more processors creating and storing in a filesystem of an Operating System a 

plurality of files that each represents a different resource of the plurality of 

resources; 

the one or more processors assigning an access value to a file attribute of a file that 

represents the resource, wherein the file attribute is used by the Operating System 
to manage file access, wherein the access value corresponds to a combination of a 
particular role and the resource; 

the one or more processors receiving user-identifying information from a user requesting 
access to the resource, wherein the user-identifying information comprises a role 
associated with the user, wherein the role is determined from a user identifier 
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uniquely associated with the user and from a group identifier associated with a 

group that includes the user; 
the one or more processors receiving a resource identifier associated with the resource; 
the one or more processors creating an access identifier based on the user-identifying 

information and the resource identifier, wherein the access identifier is formatted 

as a file attribute that is used by the Operating System to manage file access; 
wherein the step of creating an access identifier based on the user-identifying information 

and the resource identifier comprises formatting the access identifier as a group 

identifier file attribute; 
the one or more processors calling the Operating System to perform a file operation on 

the file, wherein calling the Operating System includes providing the access 

identifier to the Operating System; [[and]] 
wherein the step of calling the Operating System to perform an operation on the file 

representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an Operating 

System process; and 
calling an Operating System routine from the Operating System process to 

perform the operation on the file representing the resource; 
the one or more processors granting the user access to the resource only when the 
Operating System call successfully performs the file operation, wherein the 
Operating System call successfully performs the file operation if the access 
identifier matches the access value; 
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wherein the file operation on the file representing the resource is selected from a group 
consisting of opening the file, closing the file, deleting the file, reading from the 
file, writing to the file, executing the file, appending to the file, reading a file 
attribute, and writing a file attribute; 

reading a permission bit associated with the file representing the resource, wherein the 
permission bit corresponds to the operation performable on the file representing 
the resource; 

based on the operation on the file indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission bit allows the operation to be performed on the file 

representing the resource . 



2. (original) A method as recited in Claim 1, wherein the access identifier comprises: 

a first set of bits for storing a role identifier, wherein the role identifier is associated with 
the role; and 

a second set of bits for storing the resource identifier. 



3. (canceled) 



4. (original) A method as recited in Claim 1, wherein the step of calling the Operating 
System to perform an operation on the file representing the resource comprises 
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comparing the access identifier to an identifier included in an Access Control List file 
attribute associated with the file representing the resource, wherein the Access Control 
List file attribute includes the identifiers of all users and all groups of users allowed to 
access the file representing the resource. 



5. (canceled) 



6. (canceled) 



7. (previously presented) A method as recited in Claim 1 , the method further comprising the 
steps of: 

opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with a 

resource operation; and 
enabling the user to perform the resource operation on the resource only when the 

permission indicator indicates that the user is allowed to perform the resource 

operation on the resource. 



8. (canceled) 



9. (previously presented) A method as recited in Claim 1 , wherein the file attribute used by 
the Operating System to manage file access is a group identifier file attribute. 
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10. (currently amended) A computer-implemented method for controlling access to a 
resource of a plurality of resources, the method comprising the steps of: 
one or more processors assigning an access value to a group identifier file attribute of a 
file that represents the resource, wherein the group identifier file attribute is used 
by the Operating System to manage file access, wherein the access value is 
uniquely determined by a combination of a particular role and the resource; 
the one or more processors receiving a user identifier from a user requesting access to the 

resource, wherein the user identifier is uniquely associated with the user; 
the one or more processors receiving a group identifier associated with a group to which 
the user belongs; 

the one or more processors based on the user identifier and the group identifier, 

determining a role associated with the user, wherein a role identifier is uniquely 

associated with the role; 
the one or more processors receiving a resource identifier associated with the resource, 

wherein each resource of the plurality of resources is represented by a different 

file stored in a filesystem of an Operating System; 
the one or more processors constructing an access identifier on the basis of the role 

identifier and the resource identifier, wherein the access identifier conforms to the 

format of a group identifier file attribute that is used by the Operating System to 

manage file access; 
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the one or more processors making an Operating System call to perform a file operation 
on the file representing the resource, wherein the Operating System call uses the 
access identifier to gain access to the file representing the resource; and 

the one or more processors granting the user access to the resource only when the 
Operating System call successfully performs the file operation on the file 
representing the resource, wherein the Operating System call successfully 
performs the file operation if the access identifier matches the access value; 

wherein the file operation on the file representing the resource is selected from a group 
consisting of opening the file, closing the file, deleting the file, reading from the 
file, writing to the file, executing the file, appending to the file, reading a file 
attribute, and writing a file attribute; 

reading a permission bit associated with the file representing the resource, wherein the 

permission bit corresponds to a file operation performable on the file representing 
the resource; 

based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission bit allows the file operation to be performed on the file 

representing the resource . 

1 1 . (original) A method as recited in Claim 10, wherein the access identifier comprises: 
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a first set of bits for storing the role identifier, wherein the role identifier represents a 
bitmap, each bit of the bitmap uniquely associated with a role of the user; and 
a second set of bits for storing the resource identifier. 



12. (previously presented) A method as recited in Claim 10, wherein the step of making an 
Operating System call to perform an operation on the file representing the resource 
comprises: 

storing the group identifier value of a group identifier attribute of an Operating System 
process; 

assigning the access identifier to the group identifier attribute of the Operating System 
process; 

calling an Operating System routine from the Operating System process to perform the 
operation on the file representing the resource, wherein the operation on the file 
representing the resource is performed only when the value of the group identifier 
attribute of the Operating System process matches the value of the group 
identifier file attribute of the file representing the resource; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value. 



13. 



(original) A method as recited in Claim 10, wherein the step of making an Operating 
System call to perform an operation on the file representing the resource comprises 
comparing the access identifier to an identifier included in an Access Control List file 
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attribute associated with the file representing the resource, wherein the Access Control 
List file attribute includes the identifiers of all users and all groups of users allowed to 
access the file representing the resource. 

14. (canceled) 

15. (canceled) 

16. (previously presented) A method as recited in Claim 10, the method further comprising 
the steps of: 

opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with a 

resource operation; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission indicator indicates that the user is allowed to perform the 

resource operation on the resource. 

17. (canceled) 

18. (currently amended) A system for controlling access to a resource, of a plurality of 
resources, connected to a network, the system comprising: 
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a client host capable of accessing the resource in response to a request for access from a 
user; 

one or more processors executing an Operating System, wherein the Operating System 

operatively controls a filesystem that includes a number of files; and 
a computer readable medium having stored therein an Application Programming 

Interface, wherein the Application Programming Interface is logically interposed 
between the client host and the Operating System and comprises one or more 
routines including routines w hich, w hen executed by the one or more processors, 
cause the one or more processors to perform the steps of: 
creating and storing in the filesystem a plurality of files that each represents a 

different resource of the plurality of resources; 
assigning an access value to a file attribute of a file that represents the resource, 
wherein the file attribute is used by the Operating System to manage file 
access, wherein the access value corresponds to a combination of a 
particular role and the resource; 
receiving user-identifying information from the user requesting access to the 
resource, wherein the user-identifying information comprises a role 
associated with the user, wherein the role is determined from a user 
identifier uniquely associated with the user and from a group identifier 
associated with a group that includes the user; 
receiving a resource identifier associated with the resource; 
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creating an access identifier based on the user-identifying information and the 

resource identifier, wherein the access identifier is formatted as a file 

attribute that is used by the Operating System to manage file access; 
wherein the step of creating an access identifier based on the user-identifying 

information and the resource identifier comprises formatting the access 

identifier as a group identifier file attribute; 
calling the Operating System to perform a file operation on the file, wherein 

calling the Operating System includes providing the access identifier to 

the Operating System; 
the step of calling the Operating System to perform an operation on the file 

representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an 

Operating System process, and 
calling an Operating System routine from the Operating System process to 

perform the operation on the file representing the resource; ITandll 




granting the user access to the resource only when the Operating System call 
successfully performs the file operation, wherein the Operating System 
call successfully performs the file operation if the access identifier 
matches the access value; 

wherein the file operation on the file representing the resource is selected from a 
group consisting of opening the file, closing the file, deleting the file, 
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reading from the file, writing to the file, executing the file, appending to 

the file, reading a file attribute, and writing a file attribute; 
reading a permission bit associated with the file representing the resource, 

wherein the permission bit corresponds to a file operation performable on 

the file representing the resource; 
based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the 

resource only when the permission bit allows the file operation to be 

performed on the file representing the resource . 



19. (original) A system as recited in Claim 18, wherein the access identifier comprises: 

a first set of bits for storing a role identifier, wherein the role identifier is associated with 
the role; and 

a second set of bits for storing the resource identifier. 



20-38. (canceled) 



39. (currently amended) A computer-readable storage medium, for controlling access to a 
resource of a plurality of resources, carrying one or more sequences of instructions 
which, when executed by one or more processors, causes the one or more processors to 
perform the steps of: 
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creating and storing in a filesystem of an Operating System a plurality of files that each 
represents a different resource of the plurality of resources; 

assigning an access value to a file attribute of a file that represents the resource, wherein 
the file attribute is used by the Operating System to manage file access, wherein 
the access value corresponds to a combination of a particular role and the 
resource; 

receiving user-identifying information from a user requesting access to the resource, 
wherein the user-identifying information comprises a role associated with the 
user, wherein the role is determined from a user identifier uniquely associated 
with the user and from a group identifier associated with a group that includes the 
user; 

receiving a resource identifier associated with the resource; 

creating an access identifier based on the user-identifying information and the resource 

identifier, wherein the access identifier is formatted as a file attribute that is used 

by the Operating System to manage file access; 
wherein the step of creating an access identifier based on the user-identifying information 

and the resource identifier comprises formatting the access identifier as a group 

identifier file attribute; 
calling the Operating System to perform a file operation on the file, wherein calling the 

Operating System includes providing the access identifier to the Operating 

System; and 



Application/Control Number: 10/698,498 Page 14 

Art Unit: 2169 

wherein the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an Operating 
System process, and 

calling an Operating System routine from the Operating System process to 
perform the operation on the file representing the resource; 
granting the user access to the resource only when the Operating System call successfully 

performs the file operation, wherein the Operating System call successfully 

performs the file operation if the access identifier matches the access value; 
wherein the file operation on the file representing the resource is selected from a group 

consisting of opening the file, closing the file, deleting the file, reading from the 

file, writing to the file, executing the file, appending to the file, reading a file 

attribute, and writing a file attribute; 
reading a permission bit associated with the file representing the resource, wherein the 

permission bit corresponds to a file operation performable on the file representing 

the resource; 

based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission bit allows the file operation to be performed on the file 

representing the resource . 
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40. (previously presented) A computer-readable storage medium as recited in Claim 39, 
wherein the access identifier comprises: 

a first set of bits for storing a role identifier, wherein the role identifier is associated with 
the role; and 

a second set of bits for storing the resource identifier. 

41. (canceled) 

42. (previously presented) A computer-readable storage medium as recited in Claim 39, 
wherein the step of calling the Operating System to perform an operation on the file 
representing the resource comprises comparing the access identifier to an identifier 
included in an Access Control List file attribute associated with the file representing the 
resource, wherein the Access Control List file attribute includes the identifiers of all users 
and all groups of users allowed to access the file representing the resource. 

43. (canceled) 

44. (canceled) 

45. (previously presented) A computer-readable storage medium as recited in Claim 39, 
carrying one or more additional sequences of instructions which, when executed by one 
or more processors, further causes the one or more processors to perform the steps of: 



Application/Control Number: 10/698,498 Page 16 

Art Unit: 2169 

opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with a 

resource operation; and 
enabling the user to perform the resource operation on the resource only when the 

permission indicator indicates that the user is allowed to perform the resource 

operation on the resource. 

46. (canceled) 

47. (previously presented) A computer-readable storage medium as recited in Claim 39, 
wherein the file attribute used by the Operating System to manage file access is a group 
identifier file attribute. 

48. (currently amended) A computer-readable storage medium, for controlling access to a 
resource of a plurality of resources, carrying one or more sequences of instructions 
which, when executed by one or more processors, causes the one or more processors to 
perform the steps of: 

assigning an access value to a group identifier file attribute of a file that represents the 
resource, wherein the group identifier file attribute is used by the Operating 
System to manage file access, wherein the access value is uniquely determined by 
a combination of a particular role and the resource; 
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receiving a user identifier from a user requesting access to the resource, wherein the user 

identifier is uniquely associated with the user; 
receiving a group identifier associated with a group to which the user belongs; 
based on the user identifier and the group identifier, determining a role associated with 

the user, wherein a role identifier is uniquely associated with the role; 
receiving a resource identifier associated with the resource, wherein each resource of the 

plurality of resources is represented by a different file stored in a filesystem of an 

Operating System; 

constructing an access identifier on the basis of the role identifier and the resource 
identifier, wherein the access identifier conforms to the format of a group 
identifier file attribute that is used by the Operating System to manage file access; 

making an Operating System call to perform a file operation on the file representing the 
resource, wherein the Operating System call uses the access identifier to gain 
access to the file representing the resource; and 

granting the user access to the resource only when the Operating System call successfully 
performs the file operation on the file representing the resource, wherein the 
Operating System call successfully performs the file operation if the access 
identifier matches the access value; 

wherein the file operation on the file representing the resource is selected from a group 
consisting of opening the file, closing the file, deleting the file, reading from the 
file, writing to the file, executing the file, appending to the file, reading a file 
attribute, and writing a file attribute; 
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reading a permission bit associated with the file representing the resource, wherein the 

permission bit corresponds to a file operation performable on the file representing 
the resource; 

based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission bit allows the file operation to be performed on the file 

representing the resource . 



49. (previously presented) A computer-readable storage medium as recited in Claim 48, 
wherein the access identifier comprises: 

a first set of bits for storing the role identifier, wherein the role identifier represents a 
bitmap, each bit of the bitmap uniquely associated with a role of the user; and 
a second set of bits for storing the resource identifier. 



50. (previously presented) A computer-readable storage medium as recited in Claim 48, 

wherein the step of making an Operating System call to perform an operation on the file 
representing the resource comprises: 

storing the group identifier value of a group identifier attribute of an Operating System 
process; 

assigning the access identifier to the group identifier attribute of the Operating System 
process; 
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calling an Operating System routine from the Operating System process to perform the 
operation on the file representing the resource, wherein the operation on the file 
representing the resource is performed only when the value of the group identifier 
attribute of the Operating System process matches the value of the group 
identifier file attribute of the file representing the resource; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value. 

5 1 . (previously presented) A computer-readable storage medium as recited in Claim 48, 
wherein the step of making an Operating System call to perform an operation on the file 
representing the resource comprises comparing the access identifier to an identifier 
included in an Access Control List file attribute associated with the file representing the 
resource, wherein the Access Control List file attribute includes the identifiers of all users 
and all groups of users allowed to access the file representing the resource. 

52. (canceled) 

53. (canceled) 



54. 



(previously presented) A computer-readable storage medium as recited in Claim 48, 
carrying one or more additional sequences of instructions which, when executed by one 
or more processors, further causes the one or more processors to perform the steps of: 
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opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with a 

resource operation; and 
granting the user the privilege of performing the resource operation on the resource only 

when the permission indicator indicates that the user is allowed to perform the 

resource operation on the resource. 

55. (canceled) 

56. (currently amended) An apparatus for controlling access to a resource of a plurality of 
resources, comprising: 

means for creating and storing in an Operating System filesystem a plurality of files that 
each represents a different resource of the plurality of resources; 

means for assigning an access value to a file attribute of a file that represents the 

resource, wherein the file attribute is used by the Operating System to manage file 
access, wherein the access value corresponds to a combination of a particular role 
and the resource; 

means for receiving user-identifying information from a user requesting access to the 
resource, wherein the user-identifying information comprises a role associated 
with the user, wherein the role is determined from a user identifier uniquely 
associated with the user and from a group identifier associated with a group that 
includes the user; 
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means for receiving a resource identifier associated with the resource; 

means for creating an access identifier based on the user-identifying information and the 

resource identifier, wherein the access identifier is formatted as a file attribute that 

is used by the Operating System to manage file access; 
wherein means for creating an access identifier based on the user-identifying information 

and the resource identifier comprises means for formatting the access identifier as 

a group identifier file attribute; 
means for calling the Operating System to perform a file operation on the file, wherein 

calling the Operating System includes providing the access identifier to the 

Operating System; [[and]] 
wherein means for calling the Operating System to perform an operation on the file 

representing the resource comprises: 

means for assigning the access identifier to a group identifier attribute of an 

Operating System process, and 
means for calling an Operating System routine from the Operating System 

process to perform the operation on the file representing the resource; 
means for granting the user access to the resource only when the Operating System call 
successfully performs the file operation, wherein the Operating System call 
successfully performs the file operation if the access identifier matches the access 
value; 

wherein the file operation on the file representing the resource is selected from a group 
consisting of opening the file, closing the file, deleting the file, reading from the 
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file, writing to the file, executing the file, appending to the file, reading a file 

attribute, and writing a file attribute; 
means for reading a permission bit associated with the file representing the resource, 

wherein the permission bit corresponds to a file operation performable on the file 

representing the resource; 
means for determining, based on the file operation indicated by the permission bit, a 

resource operation that is performable on the resource; and 
means for granting the user the privilege of performing the resource operation on the 

resource only when the permission bit allows the file operation to be performed 

on the file representing the resource . 

57. (previously presented) An apparatus as recited in Claim 56, wherein the access identifier 
comprises: 

a first set of bits for storing a role identifier, wherein the role identifier is associated with 
the role; and 

a second set of bits for storing the resource identifier. 

58. (canceled) 

59. (canceled) 
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